US9426172B2ActiveUtilityA1

Security threat detection using domain name accesses

98
Assignee: SPLUNK INCPriority: Jul 25, 2013Filed: Aug 1, 2015Granted: Aug 23, 2016
Est. expiryJul 25, 2033(~7 yrs left)· nominal 20-yr term from priority
A61G 17/042A61G 17/041A61G 17/044H04L 63/10H04L 63/1441A61G 17/0073H04L 67/02H04L 63/1416G06F 21/50G06T 11/26A61G 2017/041H04L 61/1511G06T 11/206A61G 2017/042A61G 2017/044A61G 17/04H04L 61/4511
98
PatentIndex Score
188
Cited by
17
References
30
Claims

Abstract

Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method, comprising:
 extracting a set of accessed domain names from a set of events stored in a field-searchable data store, wherein each accessed domain name in the set of accessed domain names was not detected in events generated prior to generation of the set of events; 
 identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was first detected within the set of events; 
 identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names; 
 determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed; 
 causing display of information relating to the access count; 
 wherein the method is performed by one or more computing devices. 
 
     
     
       2. The method of  claim 1 ,
 wherein the respective registration time is identified based on a time of generation of an event in the set of events that includes the accessed domain name. 
 
     
     
       3. The method of  claim 1 ,
 wherein the respective registration time is identified based on a time included in one or more events in the set of events that includes the accessed domain name. 
 
     
     
       4. The method of  claim 1 , wherein the display of information comprises at least one of: a graph, a scatter plot, a table, or a message. 
     
     
       5. The method of  claim 1 , further comprising:
 identifying a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names; 
 determining, for each accessed domain name in the second subset, a respective access count corresponding to how many times the set of events indicates that each accessed domain name in the second subset was accessed; 
 causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the second subset. 
 
     
     
       6. The method of  claim 1 , further comprising:
 receiving an input corresponding to a selection of a particular identified accessed domain name; 
 presenting additional detail pertaining to events in the set of events that included the particular identified accessed domain name. 
 
     
     
       7. The method of  claim 1 , further comprising:
 identifying a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names; 
 determining, for each accessed domain name in the second subset, a respective access count that represents how many times the set of events indicates that the accessed domain name in the second subset was accessed. 
 
     
     
       8. The method of  claim 1 , further comprising:
 determining that the access count for a particular accessed domain name in the subset exceeds a threshold number; and 
 causing access to the particular accessed domain name in the subset to be blocked. 
 
     
     
       9. The method of  claim 1 , wherein an event in the set of events includes unstructured data. 
     
     
       10. The method of  claim 1 , wherein an event in the set of events includes machine data. 
     
     
       11. The method of  claim 1 , wherein an event in the set of events includes structured data. 
     
     
       12. The method of  claim 1 , wherein each accessed domain name in the set of accessed domain names corresponds to an accessed Web page. 
     
     
       13. An apparatus, comprising:
 a subsystem, implemented at least partially by hardware, that extracts a set of accessed domain names from a set of events stored in a field-searchable data store, wherein each accessed domain name in the set of accessed domain names was not detected in events generated prior to generation of the set of events; 
 a subsystem, implemented at least partially by hardware, that identifies a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was first detected within the set of events; 
 a subsystem, implemented at least partially by hardware, that identifies a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names; 
 a subsystem, implemented at least partially by hardware, that determines, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed; 
 a subsystem, implemented at least partially by hardware, that causes display of information relating to the access count. 
 
     
     
       14. The apparatus of  claim 13 ,
 wherein the respective registration time is identified based on a time of generation of an event in the set of events that includes the accessed domain name. 
 
     
     
       15. The apparatus of  claim 13 ,
 wherein the respective registration time is identified based on a time included in one or more events in the set of events that includes the accessed domain name. 
 
     
     
       16. The apparatus of  claim 13 , wherein the display of information comprises at least one of: a graph, a scatter plot, a table, or a message. 
     
     
       17. The apparatus of  claim 13 , further comprising:
 a subsystem, implemented at least partially by hardware, that identifies a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names; 
 a subsystem, implemented at least partially by hardware, that determines, for each accessed domain name in the second subset, a respective access count corresponding to how many times the set of events indicates that each accessed domain name in the second subset was accessed; 
 a subsystem, implemented at least partially by hardware, that causes display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the second subset. 
 
     
     
       18. The apparatus of  claim 13 , further comprising:
 a subsystem, implemented at least partially by hardware, that receives an input corresponding to a selection of a particular identified accessed domain name; 
 a subsystem, implemented at least partially by hardware, that presents additional detail pertaining to events in the set of events that included the particular identified accessed domain name. 
 
     
     
       19. The apparatus of  claim 13 , further comprising:
 a subsystem, implemented at least partially by hardware, that determines that the access count for a particular accessed domain name in the subset exceeds a threshold number; and 
 a subsystem, implemented at least partially by hardware, that causes access to the particular accessed domain name in the subset to be blocked. 
 
     
     
       20. The apparatus of  claim 13 , wherein an event in the set of events includes at least one of: unstructured data, machine data, or structured data. 
     
     
       21. The apparatus of  claim 13 , wherein each accessed domain name in the set of accessed domain names corresponds to an accessed Web page. 
     
     
       22. One or more non-transitory storage media storing instructions which, when executed by one or more computing devices, cause:
 extracting a set of accessed domain names from a set of events stored in a field-searchable data store, wherein each accessed domain name in the set of accessed domain names was not detected in events generated prior to generation of the set of events; 
 identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was first detected within the set of events; 
 identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names; 
 determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed; 
 causing display of information relating to the access count. 
 
     
     
       23. The one or more non-transitory storage media of  claim 22 ,
 wherein the respective registration time is identified based on a time of generation of an event in the set of events that includes the accessed domain name. 
 
     
     
       24. The one or more non-transitory storage media of  claim 22 ,
 wherein the respective registration time is identified based on a time included in one or more events in the set of events that includes the accessed domain name. 
 
     
     
       25. The one or more non-transitory storage media of  claim 22 , wherein the display of information comprises at least one of: a graph, a scatter plot, a table, or a message. 
     
     
       26. The one or more non-transitory storage media of  claim 22 , wherein the instructions which, when executed by the one or more computing devices, cause:
 identifying a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names; 
 determining, for each accessed domain name in the second subset, a respective access count corresponding to how many times the set of events indicates that each accessed domain name in the second subset was accessed; 
 causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the second subset. 
 
     
     
       27. The one or more non-transitory storage media of  claim 22 , wherein the instructions which, when executed by the one or more computing devices, cause:
 receiving an input corresponding to a selection of a particular identified accessed domain name; 
 presenting additional detail pertaining to events in the set of events that included the particular identified accessed domain name. 
 
     
     
       28. The one or more non-transitory storage media of  claim 22 , wherein the instructions which, when executed by the one or more computing devices, cause:
 determining that the access count for a particular accessed domain name in the subset exceeds a threshold number; and 
 causing access to the particular accessed domain name in the subset to be blocked. 
 
     
     
       29. The one or more non-transitory storage media of  claim 22 , wherein an event in the set of events includes at least one of: unstructured data, machine data, or structured data. 
     
     
       30. The one or more non-transitory storage media of  claim 22 , wherein each accessed domain name in the set of accessed domain names corresponds to an accessed Web page.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.